[00:02.220 --> 00:04.320]  Enable streamer mode.
[00:05.820 --> 00:08.120]  Do we want that disabled?
[00:08.280 --> 00:10.480]  I think you want it enabled, don't you?
[00:15.660 --> 00:17.300]  That was my assumption.
[00:17.820 --> 00:21.440]  Alright, well we should be going live.
[00:22.400 --> 00:24.300]  Now we're live.
[00:24.800 --> 00:27.540]  Okay, let's push that recording button.
[00:30.700 --> 00:32.940]  Alright, chat!
[00:32.940 --> 00:36.540]  If anybody is hanging out watching TrackOne,
[00:36.540 --> 00:41.680]  feel free to start talking in the TrackOne channel on Discord.
[00:41.680 --> 00:49.260]  You're also welcome to start giving us some questions over in the TrackOne live Q&A channel.
[00:49.260 --> 00:56.800]  In the meantime, let's introduce our guests for right now.
[00:56.800 --> 00:59.480]  We have Olek and we have Poontester.
[00:59.480 --> 01:04.460]  I'm sure you two will come up with better ways to explain how to pronounce your names.
[01:04.480 --> 01:06.920]  But thank you very much for joining us today.
[01:06.920 --> 01:10.380]  Give us the name of the talk that you did,
[01:10.380 --> 01:14.520]  and we'll start asking you some silly questions about it.
[01:16.400 --> 01:21.000]  Okay, so the talk was Room for Escape,
[01:21.000 --> 01:23.800]  Scribbling Outside the Lines of Template Security.
[01:23.800 --> 01:27.440]  A talk around content management systems,
[01:27.440 --> 01:31.840]  and in particular the template engines used in these systems,
[01:31.840 --> 01:38.420]  and how we were able to break out of the sandboxes that they put in place.
[01:39.020 --> 01:44.740]  If you have any questions about the talk or anything else,
[01:44.740 --> 01:46.960]  maybe we can help you.
[01:47.660 --> 01:49.980]  Just feel free to ask anything.
[01:49.980 --> 01:52.040]  How do you like your handle pronounced?
[01:54.240 --> 01:56.160]  I pronounce it Poontester.
[01:56.160 --> 01:56.640]  Poontester?
[01:56.640 --> 01:58.000]  I don't know if that's better.
[01:58.640 --> 02:04.360]  I think that we just entered into one of the mighty arguments in the hacker world,
[02:04.360 --> 02:05.920]  if it's Pwn or Pwn.
[02:06.040 --> 02:09.740]  So we're going to go with Pwn because that sounds a little bit better.
[02:10.980 --> 02:14.540]  So Olek, go ahead and give your little bit of an intro.
[02:16.000 --> 02:16.960]  About myself?
[02:17.200 --> 02:18.880]  Yeah, we'll click over to you.
[02:20.080 --> 02:23.910]  I'm a security researcher for already more than 10 years,
[02:24.460 --> 02:28.040]  and working for Micro Focus Spotify.
[02:28.620 --> 02:37.020]  And I'm happy to have a chance to work with Pwntester for a couple of years already,
[02:37.020 --> 02:40.920]  and it's our fourth shared research.
[02:40.920 --> 02:43.880]  And I'm happy with these results,
[02:43.880 --> 02:47.440]  and I hope to get something similar in the next years.
[02:47.440 --> 02:48.720]  Absolutely.
[02:48.720 --> 02:50.300]  I will retire.
[02:51.600 --> 02:54.060]  Yeah, so that's a good segue, actually,
[02:54.060 --> 02:57.720]  to talk while we're waiting for people to come up with some good questions for you.
[02:57.720 --> 02:59.760]  Tell us a little bit about some of the...
[03:00.280 --> 03:04.320]  This is definitely not your first talk here at DEF CON,
[03:04.320 --> 03:10.260]  so just briefly give us some background on where you came from
[03:10.260 --> 03:13.620]  and what the earlier talks were,
[03:13.620 --> 03:17.540]  so that people know how to reach back and find you in the archives.
[03:17.540 --> 03:20.300]  And then maybe touch on,
[03:20.300 --> 03:24.660]  how does this one feel different than the other talks that you've done?
[03:27.610 --> 03:35.890]  Okay, so I think the first one that we did together was Friday the 13th, JSON attacks.
[03:36.310 --> 03:38.130]  No, actually it was...
[03:38.130 --> 03:40.970]  Sorry, it was JNDI injections.
[03:41.030 --> 03:41.770]  It was the first one.
[03:41.770 --> 03:44.810]  Did we present that at DEF CON or just at Black Hat?
[03:44.950 --> 03:46.330]  Just at Black Hat, you're right.
[03:47.240 --> 03:51.870]  So the first one that we presented together was the JNDI injection.
[03:51.870 --> 03:58.290]  I think the full title was something like JNDI injection...
[03:59.330 --> 04:01.470]  How was that?
[04:01.470 --> 04:03.970]  Dreamland to RC something.
[04:04.790 --> 04:07.750]  Yeah, no, like a trip into RC.
[04:07.750 --> 04:10.930]  I don't know. I don't remember the title anymore.
[04:10.930 --> 04:17.890]  That was around JNDI injection in Java world of ecosystems,
[04:17.890 --> 04:23.120]  which was then used for many of the visualization gadgets.
[04:23.630 --> 04:26.190]  So that was a good one.
[04:26.190 --> 04:29.210]  And then before that one, I presented at DEF CON,
[04:29.210 --> 04:32.260]  one with Denis Cruz and AFPang,
[04:32.450 --> 04:38.330]  that was called resting in your laurels will get you pwned or pwned.
[04:38.330 --> 04:42.030]  Yeah, that was a nice one.
[04:42.030 --> 04:46.510]  So the first one that we did together was this about JNDI injection attacks.
[04:46.510 --> 04:50.490]  Then the first one that when we presented at DEF CON
[04:50.490 --> 04:54.170]  and we had to drink our shots as newbie speakers
[04:54.170 --> 05:00.050]  was this one about JSON attacks, JSON visualization attacks.
[05:00.050 --> 05:00.710]  Gotcha.
[05:00.710 --> 05:08.190]  And then last year we presented SSL Wars, the token menace,
[05:08.190 --> 05:15.730]  where we presented an attack on some implementation in Microsoft stacks
[05:15.730 --> 05:19.390]  that was flowing in .NET framework.
[05:19.830 --> 05:25.170]  And now this year we repeat again as a team with this one.
[05:26.350 --> 05:29.730]  Excellent. We really appreciate that you both came out to do that.
[05:31.070 --> 05:35.410]  You two, as we're waiting for people to jump in with more questions,
[05:35.410 --> 05:38.870]  you did present me with one that I'm going to sneakily slide in here
[05:38.870 --> 05:40.610]  as if somebody else asked it.
[05:40.610 --> 05:43.850]  The vulnerabilities that you disclose all seem to require
[05:43.850 --> 05:47.130]  that the attacker have user-level access to the system.
[05:47.130 --> 05:48.430]  Is that true?
[05:50.190 --> 05:51.890]  Is that a hurdle for most...
[05:51.890 --> 05:54.850]  Oh, see, now I'm talking over you. So your turn, Hugo.
[05:55.970 --> 05:58.350]  Okay, I think it's mostly true.
[05:58.350 --> 06:01.470]  It still depends on applications, on configuration,
[06:01.470 --> 06:03.510]  on specific configuration.
[06:03.510 --> 06:06.410]  But to be able to perform such attacks,
[06:06.410 --> 06:11.070]  attackers should be able to create or at least modify some template.
[06:11.210 --> 06:16.250]  And in most cases, it's at least user-level account.
[06:16.250 --> 06:18.790]  For SharePoint, it's just user-level account.
[06:18.790 --> 06:21.690]  It's default configuration and just user-level account.
[06:21.690 --> 06:24.810]  Any user in default configuration can do this.
[06:24.810 --> 06:28.330]  For other applications, it still depends.
[06:28.330 --> 06:30.270]  Sometimes it's just user-level.
[06:30.270 --> 06:34.330]  Sometimes you need to be like writer or some other roles,
[06:34.330 --> 06:36.410]  more powerful roles.
[06:36.410 --> 06:38.730]  Sometimes even administrator.
[06:39.330 --> 06:44.050]  So one requirement for our attack,
[06:44.050 --> 06:47.790]  attackers should be able to manage these templates
[06:47.790 --> 06:52.370]  or ISPX pages in case of SharePoint.
[06:52.370 --> 06:54.330]  Okay, so maybe not.
[06:54.330 --> 06:58.710]  The minimum is just they have to be able to deal with the SharePoint side.
[06:58.710 --> 07:00.990]  They have to be able to control that.
[07:00.990 --> 07:04.350]  But it's not necessarily that...
[07:04.350 --> 07:13.570]  So for SharePoint, it's a bit simpler.
[07:13.570 --> 07:18.610]  Any user can have access to own private site and can manage it.
[07:18.610 --> 07:20.650]  It's your site.
[07:20.650 --> 07:26.290]  And you can use at least this site for performing attacks.
[07:26.290 --> 07:28.730]  For other applications, yes.
[07:28.730 --> 07:32.870]  It depends on configuration, depends on permission for specific projects,
[07:32.870 --> 07:38.750]  for specific sub-sites and other things.
[07:38.750 --> 07:39.610]  Okay.
[07:41.230 --> 07:45.110]  So I was going to add that our assumption in this talk
[07:45.110 --> 07:49.670]  is that we were able or the attacker were able to control the templates.
[07:49.670 --> 07:57.130]  And then our research was around breaking outside of those sandboxes.
[07:57.130 --> 08:02.710]  So in a similar way that we may present something around breaking mitigations
[08:02.710 --> 08:08.030]  for buffer overflows, but our research was not how to find those buffer overflows
[08:08.030 --> 08:09.930]  in the first place.
[08:09.930 --> 08:16.090]  So I'm saying that because apart from being able to control the contents
[08:16.090 --> 08:20.090]  of the template, different vectors may include things
[08:20.090 --> 08:24.150]  like server-side template injection, or maybe, for example,
[08:24.150 --> 08:27.070]  if there is a cross-site scripting vulnerability in that page,
[08:27.070 --> 08:32.650]  you can use that to fool a victim into submit a malicious template
[08:32.650 --> 08:34.170]  on your behalf.
[08:34.170 --> 08:38.750]  Or maybe there is a cross-site request for you that you cannot use
[08:38.750 --> 08:41.910]  in order to manipulate or modify the template content.
[08:41.910 --> 08:46.510]  So we didn't really care about how you were able to get access to the content.
[08:46.510 --> 08:50.650]  It may be because you have access to, like Alexander explained,
[08:50.650 --> 08:54.110]  it's the normal case, for example, in things like SharePoint
[08:54.110 --> 08:57.410]  or a wiki, for example, where you can edit your own articles
[08:57.410 --> 08:58.370]  and things like that.
[08:58.370 --> 09:02.150]  But maybe in other systems, some of the ones that we reported,
[09:02.150 --> 09:04.730]  like Office, for example, they were vulnerable to server-side
[09:04.730 --> 09:05.950]  template injection.
[09:06.110 --> 09:11.890]  And for example, in some cases, we were able to request trial accounts
[09:11.890 --> 09:15.610]  in content management systems that were deployed on the cloud,
[09:15.610 --> 09:19.150]  like in software-as-a-service architectures.
[09:19.150 --> 09:24.690]  And with those trial accounts, we were able to hone those servers
[09:24.690 --> 09:26.970]  and compromise the underlying servers.
[09:27.230 --> 09:33.990]  So in a big way, you've given us another step in our chain,
[09:33.990 --> 09:39.110]  another tool to escalate how much damage we can do once we have a foothold.
[09:40.390 --> 09:41.650]  Yeah, exactly.
[09:41.650 --> 09:42.310]  Excellent.
[09:42.310 --> 09:48.390]  What level of access were you using to get that remote code execution?
[09:48.390 --> 09:52.510]  Were you just a regular user and able to escalate that far?
[09:53.110 --> 09:56.610]  So in some cases, like Alexander explained for SharePoint,
[09:56.610 --> 10:01.090]  just having an account in SharePoint, like a regular user account,
[10:01.090 --> 10:02.970]  allows you to create your own site.
[10:02.970 --> 10:06.390]  And then you can control the template or the ASPX page,
[10:06.390 --> 10:08.130]  in this case for SharePoint.
[10:08.130 --> 10:10.590]  And then you can use that to get remote code execution
[10:10.590 --> 10:12.690]  on the underlying server.
[10:12.790 --> 10:16.390]  In other cases, like XWiki, just a regular user as well.
[10:16.410 --> 10:19.190]  Other systems, like for example, Atlassian Confluence,
[10:19.190 --> 10:24.270]  you were required to be administrator in order to edit a template.
[10:24.270 --> 10:27.170]  So in those systems, either you are an administrator,
[10:27.170 --> 10:29.430]  so it's kind of more like an insider attack,
[10:30.210 --> 10:34.550]  or maybe those systems are vulnerable, as I explained before,
[10:34.550 --> 10:36.610]  you find a cross-site scripting vulnerability,
[10:36.610 --> 10:38.970]  and you can escalate from cross-site scripting
[10:38.970 --> 10:43.170]  to remote code execution by being able to fool the victim
[10:44.170 --> 10:48.030]  to submit or modify a template on your behalf.
[10:50.430 --> 10:54.370]  Okay, so can you give us a little bit of background
[10:54.370 --> 10:57.370]  on how you came upon this type of research?
[10:57.370 --> 11:01.270]  What was your entry point into doing this attack?
[11:04.310 --> 11:06.790]  It's not easy to answer.
[11:06.790 --> 11:11.750]  It's as usual, when you have some target that allows you something,
[11:11.750 --> 11:15.570]  and you think, wow, it's a lot of things for attackers,
[11:15.570 --> 11:17.410]  and it starts the game.
[11:17.410 --> 11:21.250]  You try to use one thing to bypass something.
[11:21.250 --> 11:26.750]  For example, SharePoint, it allows you to upload ASPX pages.
[11:26.750 --> 11:31.870]  So the first thing, why we cannot put only the code there
[11:31.870 --> 11:33.890]  and execute code there?
[11:33.890 --> 11:36.010]  No, we cannot. Why we cannot?
[11:36.010 --> 11:38.110]  And game starts.
[11:39.630 --> 11:42.110]  And it's not only SharePoint.
[11:42.110 --> 11:46.210]  There are a lot of such server or services that allows you
[11:46.210 --> 11:50.650]  to define some templates for dynamic content,
[11:50.650 --> 11:53.650]  and actually you can access getters.
[11:53.650 --> 11:55.630]  You can access some methods.
[11:55.630 --> 11:58.270]  You can access some objects.
[11:58.750 --> 12:00.430]  Why we cannot abuse them?
[12:00.430 --> 12:03.200]  Let's try. Let's see what we can do.
[12:03.200 --> 12:06.360]  What we can do further with all this stuff.
[12:06.420 --> 12:10.540]  And it starts our research investigation,
[12:10.540 --> 12:13.580]  and at the end, we have such results.
[12:14.360 --> 12:16.320]  You chained it down.
[12:16.960 --> 12:18.220]  I'm on mute.
[12:18.220 --> 12:20.780]  So you pushed it down that direction. That makes sense.
[12:21.440 --> 12:26.740]  And I'm assuming then we're kind of talking to a general mindset
[12:26.740 --> 12:29.200]  when you're doing your normal day-to-day work.
[12:29.200 --> 12:31.580]  You find something that's a little funny,
[12:31.580 --> 12:34.840]  and you just can't let it go.
[12:34.840 --> 12:37.800]  I mean, this is that greater question about,
[12:37.800 --> 12:40.020]  what does it take to be a hacker?
[12:40.480 --> 12:44.700]  It's always nice to hear people who are out there in the world
[12:44.700 --> 12:47.720]  doing these presentations, doing this research,
[12:47.720 --> 12:53.580]  talk to the rest of us who are getting our feet wet
[12:53.580 --> 12:56.580]  in the world of web application security
[12:56.580 --> 13:00.100]  or whatever your niche is.
[13:00.100 --> 13:04.100]  How do the rest of you folks who are getting all of the success,
[13:04.100 --> 13:05.940]  doing these cool presentations and research,
[13:05.940 --> 13:08.060]  how do you approach these?
[13:08.060 --> 13:10.180]  How do you know when you have something cool?
[13:12.940 --> 13:19.120]  So in my case, and continuing Alexander's response,
[13:19.120 --> 13:22.980]  I guess that I started this research because Oleg came to me
[13:22.980 --> 13:26.020]  and said, like, okay, I found these four different ways
[13:26.020 --> 13:28.960]  of breaking the server in safe mode.
[13:28.960 --> 13:32.760]  For that time, I mean, we found a lot of more.
[13:33.380 --> 13:37.980]  So he said, like, maybe if we also look at the Java side,
[13:37.980 --> 13:41.120]  we get something interesting that can be interesting,
[13:41.120 --> 13:46.560]  like a full research, like something that is more self-contained somehow.
[13:46.580 --> 13:49.360]  And then he told me, like, can you take a look
[13:49.360 --> 13:52.320]  at some of the most popular engines in Java?
[13:52.320 --> 13:55.500]  And when I was there, I was like, okay, let's see.
[13:55.500 --> 13:59.260]  Before I started looking at the implementation of those engines
[13:59.260 --> 14:02.460]  and do, like, code review and things like that,
[14:02.460 --> 14:04.880]  it was like, okay, I'm here. I get access.
[14:04.880 --> 14:07.220]  I assume that I get access to a template.
[14:07.220 --> 14:10.160]  What can I do now? What objects are available?
[14:10.160 --> 14:14.280]  So I started looking and inspecting the template context
[14:14.280 --> 14:18.520]  by debugging the applications and setting some breakpoints.
[14:18.520 --> 14:21.860]  And then I was surprised that I was able to access
[14:22.560 --> 14:27.980]  thousands of objects that were non-intentionally exposed.
[14:27.980 --> 14:31.860]  They were, like, they're indirectly exposed by other objects.
[14:32.000 --> 14:35.020]  And with that big amount of attack surface,
[14:35.020 --> 14:36.980]  it was like, this is going to be easy to find something
[14:36.980 --> 14:39.480]  that I can use to get remote code execution.
[14:39.480 --> 14:40.580]  That was the case.
[14:40.580 --> 14:42.920]  And then as a second part of the research,
[14:42.920 --> 14:46.540]  we started looking at the implementation of those libraries.
[14:46.540 --> 14:51.400]  And then we found some specific flaws in the implementation.
[14:51.400 --> 14:54.840]  The way they were checking block lists, for example,
[14:54.840 --> 14:58.920]  or gaps on those block lists or things like that,
[14:58.920 --> 15:00.760]  that I explained in the talk.
[15:01.000 --> 15:03.080]  That was your entry.
[15:03.080 --> 15:04.920]  You, all of a sudden, you're like, I have something.
[15:04.920 --> 15:07.460]  And then you spent a significant amount of time
[15:07.460 --> 15:10.820]  testing the boundaries of the thing that you had
[15:10.820 --> 15:14.640]  until you worked your way towards where we are now.
[15:14.740 --> 15:16.340]  That makes sense.
[15:16.340 --> 15:19.400]  It's always good to hear from you folks,
[15:20.100 --> 15:22.020]  kind of where you're coming from on that.
[15:22.460 --> 15:27.300]  So I saw a few different content management systems
[15:27.300 --> 15:28.520]  that you looked at.
[15:28.520 --> 15:31.980]  And I imagine at some point, you just kind of run out of time
[15:31.980 --> 15:34.060]  to keep checking things.
[15:34.060 --> 15:36.120]  Do you think that there are still more out there
[15:36.120 --> 15:37.840]  that people could follow your techniques
[15:37.840 --> 15:42.060]  and do the same kind of thing to find vulnerabilities?
[15:42.060 --> 15:43.840]  Is that also going to be an area
[15:43.840 --> 15:46.940]  that you plan to continue to research?
[15:46.940 --> 15:48.740]  Or are you guys kind of done with this one?
[15:49.980 --> 15:52.620]  Definitely, there should be a lot of products.
[15:52.620 --> 15:55.060]  We think there are a lot of products.
[15:55.060 --> 16:01.180]  As you mentioned, just a couple of them are under our focus.
[16:01.180 --> 16:04.580]  And actually, for example, if you're talking about SharePoint,
[16:04.580 --> 16:06.480]  it is not an automated approach.
[16:06.480 --> 16:09.240]  It's just manual and just to find some patterns.
[16:09.240 --> 16:13.440]  And we try to show this pattern in our presentation.
[16:13.580 --> 16:17.700]  And I believe there's still a lot of things to look for
[16:17.700 --> 16:21.980]  in SharePoint specifically and about other content,
[16:21.980 --> 16:24.220]  even not content management system.
[16:24.220 --> 16:31.140]  In any other system, like maybe email servers,
[16:31.140 --> 16:36.240]  if you can define a template for dynamic content
[16:36.240 --> 16:38.840]  for some auto-creation emails,
[16:38.840 --> 16:42.680]  it can be a starting point for your research as well.
[16:42.680 --> 16:46.940]  So our purpose of our research, our presentation,
[16:46.940 --> 16:55.080]  just show our patterns, our approaches and say,
[16:55.080 --> 16:59.040]  hey guys, we use this and we got such results,
[16:59.040 --> 17:01.920]  like 30 new vulnerabilities.
[17:02.080 --> 17:03.900]  You can use the same.
[17:03.900 --> 17:05.820]  It's not only for offensive side.
[17:05.820 --> 17:08.180]  It's for defensive as well.
[17:08.180 --> 17:17.360]  Guys, if you are developing something that go in this bucket,
[17:17.360 --> 17:22.280]  you need to look on these areas to check this
[17:22.280 --> 17:26.660]  because you can see what can happen.
[17:26.820 --> 17:31.520]  So, of course, anybody welcome to continue this research.
[17:31.520 --> 17:34.400]  About myself, I'm not sure.
[17:34.400 --> 17:40.220]  I need to have some rest, vacation, couple months after that, maybe.
[17:40.220 --> 17:45.780]  But usually, if you can see our talks, they are not linear.
[17:45.860 --> 17:48.600]  We are jumping from one topic to another topic.
[17:48.600 --> 17:51.220]  It's more interesting for me.
[17:51.220 --> 17:53.820]  But I do not know, maybe.
[17:54.060 --> 17:58.140]  If I still find something interesting, I will continue.
[17:58.140 --> 18:01.540]  But for the next year, to be honest, it will be more difficult
[18:01.540 --> 18:04.220]  because competition will be more higher.
[18:04.220 --> 18:10.460]  Maybe it's better to leave this for others and try to find some new areas.
[18:11.620 --> 18:17.680]  Based on all the different presentations that you two described earlier,
[18:17.680 --> 18:22.320]  it seems like you two work together really well in finding these types of things.
[18:22.320 --> 18:25.000]  I know some people earlier were asking,
[18:25.000 --> 18:30.700]  how should somebody go about starting out research and picking out targets?
[18:30.700 --> 18:37.200]  Do you have any suggestions for people on how they can start getting into the type of research field
[18:37.200 --> 18:40.840]  that you two seem to do really well?
[18:43.080 --> 18:47.900]  I don't think that one is easy to answer.
[18:49.020 --> 18:55.660]  It's just like, at least for me, being up to date with the latest research
[18:55.660 --> 18:59.680]  from other people in the community and industry.
[18:59.680 --> 19:04.660]  Or maybe reading articles that are not directly related with what you do.
[19:04.660 --> 19:09.560]  For example, I think that the JNDI injection that was the first one that we did together
[19:09.560 --> 19:16.440]  started out of reading an article about a malware analysis.
[19:16.720 --> 19:21.800]  And in that malware analysis, the malware was using some JNDI lookups.
[19:21.800 --> 19:24.900]  We found that interesting. We started researching that.
[19:24.940 --> 19:28.020]  And that led to the JNDI injection attack.
[19:28.020 --> 19:32.700]  As part of that attack, we found some gadgets that were using setters
[19:32.700 --> 19:37.060]  instead of magic methods in Java deserialization and so on.
[19:37.060 --> 19:43.320]  And we found that as an entry point to the JSON deserialization attacks that we did the following year.
[19:43.320 --> 19:46.800]  So sometimes one thing takes you to the next one.
[19:46.800 --> 19:48.820]  Sometimes they are not even related.
[19:48.820 --> 19:56.000]  Like jumping from JNDI to JSON deserialization or Mars Alert deserialization.
[19:56.000 --> 20:01.880]  So sometimes just reading a lot of stuff gives you ideas.
[20:01.880 --> 20:06.960]  Sometimes you just are playing with something in your regular work
[20:06.960 --> 20:11.600]  and then you find something interesting and you just pull the thread and find something else.
[20:12.060 --> 20:15.900]  It's just... I mean, things are not going to come to you.
[20:15.900 --> 20:19.760]  You have to be actively reading, looking for things,
[20:19.760 --> 20:22.400]  and then you will always find something that is interesting
[20:22.400 --> 20:25.540]  and you can pull the thread and find something more.
[20:25.540 --> 20:35.300]  If you just stay passive, like reading, but not asking yourself why things are working in such or such other way,
[20:35.300 --> 20:38.360]  then I don't think that there is room for research.
[20:38.900 --> 20:43.220]  And my suggestion is not to be focused on the results of the talk.
[20:45.220 --> 20:51.000]  It's very difficult on the first year to be accepted in Black Hat or DEF CON or something like that
[20:51.000 --> 20:52.860]  and produce such level of results.
[20:52.860 --> 20:57.940]  I would suggest just to be focused on something, some area, what you like best
[20:57.940 --> 21:02.960]  and you are passionate on that and follow for new research.
[21:02.960 --> 21:08.040]  Try to understand each novel technique and maybe try own thing.
[21:08.040 --> 21:11.860]  Maybe you have ideas and be passionate.
[21:12.080 --> 21:17.880]  I think... I do not know. For me, it took a couple of years to get some...
[21:17.880 --> 21:28.120]  If you are new, start to give your results and you can start to think about how to summarize this and present to others.
[21:28.960 --> 21:36.900]  And just to start a career from Let's Talk at DEF CON, for me, it's difficult to imagine.
[21:36.900 --> 21:42.860]  You need to have some background in this area and produce something new.
[21:42.860 --> 21:46.380]  And for this, you need year... not years, you need time.
[21:46.780 --> 21:50.440]  For somebody, it's months. For somebody, it's years.
[21:50.800 --> 21:56.660]  But still, for me, it's main target, it's my passion in that areas.
[21:57.280 --> 22:00.780]  Not just talk in DEF CON. DEF CON, it's results.
[22:00.780 --> 22:02.860]  If you have results, you can present it in DEF CON.
[22:02.860 --> 22:07.000]  If you do not have results, let's wait, let's try other direction.
[22:07.000 --> 22:11.420]  But you need to like this. Without passion, it's difficult.
[22:11.420 --> 22:16.320]  I love that you two said really quite different things there.
[22:16.320 --> 22:21.320]  In one case, you have, hey, I was reading an article and then I thought really deep about that article.
[22:21.320 --> 22:25.480]  But it seemed like it was something different from your previous research.
[22:25.500 --> 22:31.820]  And then the other answer would be, I just really like this stuff and I learned everything I could about it.
[22:31.820 --> 22:37.940]  So it's nice to hear the two different sides, if not the two different sides,
[22:37.940 --> 22:43.240]  about how to approach a new topic and how to find something cool in it.
[22:43.240 --> 22:48.740]  Which is probably why they work together so well and have had so much great research through the years.
[22:48.760 --> 22:52.760]  We have very different approaches for everything.
[22:53.600 --> 22:55.960]  Even research is different.
[22:55.960 --> 23:07.940]  For example, I never read documentation before research.
[23:07.940 --> 23:11.920]  It took more time, but I have some rules.
[23:11.920 --> 23:15.980]  Do not open documentation.
[23:15.980 --> 23:20.330]  Arvaro starts with documentation and can find something more quickly.
[23:21.400 --> 23:23.280]  Significantly quickly.
[23:30.580 --> 23:34.780]  So what did we not get to see during this presentation?
[23:34.780 --> 23:39.740]  I know you've already talked about when your presentations tend to jump around a little bit.
[23:39.740 --> 23:47.300]  So maybe you have the opportunity to hit more content or whatever you wanted to present during your go.
[23:47.300 --> 23:53.900]  But due to time or due to not having it fully formed in your head,
[23:53.900 --> 24:00.600]  what would you have liked to have put into this presentation where there was more time, more ability?
[24:01.920 --> 24:07.440]  So there is a lot of content that is not in the actual talk, in the actual video.
[24:07.440 --> 24:12.000]  But it's available in the white paper that we released as part of the talk.
[24:12.000 --> 24:16.560]  It's simply that we were not able to fit all the content in those 40 minutes.
[24:16.560 --> 24:24.580]  Apart from that, that's something that just didn't fit into the time allocated for the video.
[24:24.640 --> 24:28.840]  I think that I would also like to have looked into other languages.
[24:28.840 --> 24:31.480]  We just focused on .NET and Java.
[24:31.660 --> 24:39.040]  And maybe for .NET, I would also have looked into other content management systems that are different from ServePoint.
[24:39.040 --> 24:43.660]  Maybe, I don't know. I'm not really very familiar with .NET ecosystems.
[24:43.660 --> 24:52.400]  But, for example, .NET Nuke is a potential target that we just didn't have time to look into.
[24:54.280 --> 24:57.400]  I agree with Alvaro. Actually, we have more findings.
[24:57.400 --> 25:01.440]  And usually, when you start to search something, you have more findings.
[25:01.440 --> 25:05.240]  But you need to collect them in some topic, in some scope.
[25:05.240 --> 25:07.780]  Of course, a lot of things are out of scope.
[25:07.780 --> 25:11.680]  Maybe for the later research, maybe for some blog posts.
[25:11.680 --> 25:14.120]  Maybe not. Maybe it's not interesting.
[25:14.400 --> 25:15.660]  Something like that.
[25:16.060 --> 25:23.040]  It depends. If you have, like, a two-hour talk, maybe we will include some new stuff for SharePoint.
[25:23.040 --> 25:28.780]  There was some interesting stuff, because there was some playing with roles and other things.
[25:29.900 --> 25:41.580]  But I think our current white paper meets the scope of what we drew before this white paper and talks.
[25:41.580 --> 25:42.780]  And it's more interesting.
[25:42.780 --> 25:49.520]  When you have a lot of stuff, it's not good as well, because it's very difficult to focus on something.
[25:49.540 --> 25:52.720]  Even this stuff, we have two parts, .NET and Java.
[25:52.720 --> 25:57.080]  It's a bit different. Java has a lot of templates and giants.
[25:58.300 --> 26:00.480]  .NET has only SharePoint.
[26:00.480 --> 26:05.820]  It's a bit difficult to keep focus audience for these two parts.
[26:05.820 --> 26:14.080]  I think if you want to include something else, maybe it's better to have separate talk, not in this.
[26:14.080 --> 26:16.540]  To build a new talk. Makes sense.
[26:16.540 --> 26:18.920]  It's nice to be able to isolate down.
[26:18.920 --> 26:22.760]  We always keep some sprouts.
[26:22.760 --> 26:24.180]  How do you say that in English?
[26:25.600 --> 26:29.180]  Something like seed sprouts for the next talk.
[26:29.180 --> 26:31.280]  Something that looks promising.
[26:31.700 --> 26:38.440]  Maybe it's a new way into a new road that can lead to something.
[26:39.720 --> 26:43.540]  That's also something that we normally don't include in the talks.
[26:44.920 --> 26:47.280]  You're never going to retire from this, are you?
[26:47.280 --> 26:51.220]  There's always going to be something new and interesting to do a talk on.
[26:51.740 --> 26:56.500]  It's difficult because competition from year to year, it's more harder and harder.
[26:56.500 --> 27:00.000]  A lot of new guys and a lot of old guys.
[27:01.240 --> 27:03.020]  It's not easy.
[27:03.540 --> 27:08.160]  Let's hope that we will have motivation and time and resources for new researchers.
[27:08.160 --> 27:09.380]  We like this.
[27:09.680 --> 27:11.380]  Life will show.
[27:13.380 --> 27:16.940]  We have about five minutes left in our scheduled time here.
[27:18.920 --> 27:20.920]  What's your call to action?
[27:20.940 --> 27:26.000]  Where would you direct people to keep poking at this?
[27:26.000 --> 27:31.040]  Or what's something that, as you were hunting through all of this, that you were like,
[27:31.040 --> 27:38.140]  Oh, this would be something that I want somebody to look at, but maybe I don't have the background or the time.
[27:39.220 --> 27:41.340]  What's the gap?
[27:45.370 --> 27:47.410]  There's your question out of the blue.
[27:48.150 --> 27:54.490]  Yeah, so as I said, we didn't look at other languages.
[27:54.690 --> 28:02.710]  I know there is a lot of research around server-side template injection in JavaScript and Python.
[28:03.630 --> 28:06.510]  But yeah, so those are sandboxes as well.
[28:06.510 --> 28:10.450]  And probably those sandboxes need to be bypassed.
[28:10.450 --> 28:24.850]  A good direction for people wanting to look into this area of research is looking at how these other languages implement sandboxes and maybe try to find a way to break them.
[28:25.770 --> 28:30.930]  I agree with Edovara. Actually, we have two different .NET and Java languages.
[28:30.930 --> 28:37.470]  I think if we found something similar in these two languages, we can assume that many others are affected.
[28:37.470 --> 28:40.430]  It's not a problem in languages, it's a problem in design.
[28:40.430 --> 28:45.650]  Actually, it's very difficult to implement good sandboxes for these cases, I believe.
[28:45.750 --> 28:47.490]  It's very difficult.
[28:47.490 --> 28:53.550]  There are a lot of potential areas and we try to highlight the most obvious of them.
[28:53.550 --> 29:06.450]  And I think it's a good idea to look in any places, in any languages, in any system, in any other place.
[29:06.450 --> 29:09.350]  That makes sense. Well, thank you for that.
[29:09.610 --> 29:16.910]  If you would be so kind, you can toss us in probably the TrackOne channel would be a good place for this.
[29:16.910 --> 29:20.250]  Any place that folks can contact you later.
[29:20.270 --> 29:29.630]  Since this is a new format, we can actually put down if there's an email address or a Twitter profile or a GitHub.
[29:29.650 --> 29:31.570]  You could post that in that channel.
[29:31.570 --> 29:32.870]  I don't know if you can hear me.
[29:33.450 --> 29:35.170]  I can, as a matter of fact.
[29:35.170 --> 29:36.450]  Oh, maybe.
[29:37.130 --> 29:38.530]  I can hear you.
[29:39.710 --> 29:42.190]  We might have just lost him.
[29:42.190 --> 29:43.230]  You're back.
[29:43.230 --> 29:46.910]  Yeah, I'm back. I lost all of you.
[29:47.630 --> 29:48.830]  Well, welcome back.
[29:48.830 --> 29:55.370]  So we were just chatting about if there is a GitHub or a Twitter profile or an email or something that you...
[29:55.370 --> 29:59.610]  I believe you put something like that in your talk, but...
[29:59.610 --> 30:01.410]  Can everybody hear me?
[30:02.150 --> 30:07.190]  So my personal Twitter handle is Pontester, obviously.
[30:07.190 --> 30:15.070]  And also I work for the GitHub Security Lab, where all the advisories for the different content management systems
[30:15.070 --> 30:22.970]  with the details about how we were able to exploit them or break their sandboxes are being published.
[30:22.970 --> 30:25.790]  Some of them have been published already.
[30:25.790 --> 30:27.670]  Some of them are still to be published.
[30:27.670 --> 30:30.450]  So you may also want to follow that one.
[30:30.450 --> 30:34.630]  I think it's ghsecuritylab.
[30:34.630 --> 30:35.630]  Just let me...
[30:35.630 --> 30:41.870]  You can type that into the TrackOne channel at your leisure.
[30:42.830 --> 30:45.410]  And people can see that there.
[30:46.310 --> 30:47.450]  If there's...
[30:47.970 --> 30:50.650]  And that's pretty much the last of the questions I have.
[30:50.650 --> 30:59.450]  I want to thank you both very much for building this presentation and taking time out of your day to come and do this QA with us.
[30:59.450 --> 31:04.250]  This is what makes this community better than anything else I've ever been a part of.
[31:04.250 --> 31:06.870]  So thank you very much for your efforts.
[31:06.870 --> 31:10.250]  And I hope to see more from you folks in the near future.
[31:11.590 --> 31:13.530]  Thank you very much for having us.
[31:13.530 --> 31:17.750]  And hopefully, yeah, we can present again in DEF CON next year.
[31:18.110 --> 31:19.670]  And next time in person.
[31:20.310 --> 31:21.190]  Definitely.
[31:21.370 --> 31:22.690]  Next time in person.
[31:22.690 --> 31:24.430]  Well, I appreciate it.
[31:24.430 --> 31:25.970]  Have a great rest of your day.
[31:25.970 --> 31:26.970]  Enjoy the con.
[31:26.970 --> 31:38.070]  And to everyone watching, you should be able to see here in the next little while the contact information show up in the TrackOne channel.
[31:38.070 --> 31:40.570]  Otherwise, we will see you for the next one.
[31:40.630 --> 31:41.610]  Bye, everyone.
[31:42.210 --> 31:43.350]  Have a good one.
[31:43.530 --> 31:44.470]  Bye-bye.
